Epe v22008618 S方式 脱壳脚本

1、/Epe v2.2008.6.18 S方式 脱壳脚本/作者: david_hee Begin: var patch1 var OEP gpa "IsDebuggerPresent","kernel32.dll" ISDEBUGGER: bp $RESULT esto bc $RESULT mov patch1 ,71209E4C /711FDC23 mov patch1,#BEAB376100# mov patch1 ,7120C95C /71209182 mov patch1,#BE54AE1200# mov patch1 ,711FB4F1 /712

2、0B83D mov patch1,#BE04F54800# mov patch1 ,711F9654 bp 7120A207 /71209687 esto bc 7120A207 /71209687 mov OEP,eax bp OEP esto bc OEP/ pause var dwIATStart var dwIATEnd var dwAddrIAT var dwPatchAddrFixIAT var dwPatchAddrFixReplaceCode var dwPatchAddrFixSDK var dwEIP var dwOrigImageBase var dwPPStructEn

3、try var dwStructEntry /代码替换 var dwCodeReplaceAddr var dwCodeReplaceSize /SDK var dwSDKAddr var dwSDKSize /需要修复的IAT地址范围 var dwMaxIATAddr var dwMinIATAddr var PatchCase var CaseCode var tmpaddr var count /= mov dwPPStructEntry, 7122518C mov dwPatchAddrFixIAT, 711F55C6 mov PatchCase , 711F5CE3 mov dwPa

4、tchAddrFixReplaceCode, 711F5991 mov dwPatchAddrFixSDK, 711F56DD mov dwEIP, eip exec pushad ende /强制S方式解密 and 712388C6, FFFFFF00 /定位结构 mov dwStructEntry, dwPPStructEntry /= /代码替换 /= mov dwCodeReplaceAddr, dwStructEntry add dwCodeReplaceAddr, 3CC /需要修改 mov dwCodeReplaceSize, dwStructEntry add dwCodeRe

5、placeSize, 3F0 /需要修改 /= gmi dwEIP, MODULEBASE mov dwRAWModuleBase, $RESULT mov eax, dwRAWModuleBase+3C add eax, dwRAWModuleBase mov dwOrigImageBase, eax+34, 4 /取文件中 ImageBase add dwIATStart, dwRAWModuleBase add dwIATEnd, dwRAWModuleBase mov dwAddrIAT, dwIATStart cmp dwCodeReplaceSize, 0 je ExitFixRe

6、placeCode pause /Fix Replace Code 修复代码替换 /= var dwReplaceCodeStart var dwReplaceCodeEnd var dwReplaceCodeAddr var dwRAWModuleBase var dwOrgReplaceCodeAddr var dwRestoreCodeStart mov dwReplaceCodeStart, dwCodeReplaceAddr mov dwReplaceCodeEnd, dwCodeReplaceAddr add dwReplaceCodeEnd, dwCodeReplaceSize

7、sub dwReplaceCodeEnd, 4 mov dwMaxIATAddr, 0 mov dwMinIATAddr, FFFFFFFF /Statr Fix /= bp PatchCase bp dwPatchAddrFixReplaceCode mov dwReplaceCodeAddr, dwReplaceCodeStart loopFixReplaceCodeCode: cmp dwReplaceCodeAddr, dwReplaceCodeEnd ja ExitFixReplaceCode mov eax, dwReplaceCodeAddr sub eax, dwOrigIma

8、geBase add eax, dwRAWModuleBase mov dwOrgReplaceCodeAddr, eax mov eip, eax inc count eval "ReplaceAddr :eax Count:count" log $RESULTRunAgain: run cmp eip,dwPatchAddrFixReplaceCode je Case6/ cmp eip,dwPatchAddrFixIAT/ je IsCALL cmp eip,PatchCase jne Error mov CaseCode,ecx cmp CaseCode,5 ja

9、RunAgain je Case5 cmp CaseCode,4 je Case4 cmp CaseCode,3 je Case3 cmp CaseCode,2 je Case2 cmp CaseCode,1 je Case1Case0: /未发现使用 pause jmp RunAgain Case1: /is Call jmp RunAgain Case2: /is Push xxxxxxxx bp 711F5DA2 run bc 711F5DA2 mov tmpaddr, dwOrgReplaceCodeAddr mov tmpaddr, #FF35# add tmpaddr, 2 mov

10、 tmpaddr,ebx,4 jmp RunAgain Case3: /未发现使用 pause jmp RunAgain Case4: /is Mov xxxxxxxx,xxxxxxxx bp 711F5E0E run bc 711F5E0E mov tmpEax, eax mov tmpEdx, edx mov tmpaddr, dwOrgReplaceCodeAddr mov tmpaddr, #C705# add tmpaddr, 2 mov tmpaddr,tmpEax,4 add tmpaddr,4 mov tmpaddr,tmpEdx,4 jmp RunAgainCase5: /未

11、发现使用 pause bp 711F5E79 run bc 711F5E79 jmp RunAgain Case6: /is Mov eax/ebx/ecx/edx/esi/edi, xxxxxxxx cmp CaseCode,2 je NextAddr cmp CaseCode,4 je NextAddr /判断被偷代码类型 mov eax,esp cmp ax, 15FF je Error cmp ax, 25FF je Error cmp ax, E990 jne Case6_2 mov tmpaddr,esp mov eax,tmpaddr+2 add eax,dwOrgReplace

12、CodeAddr cmp eax,71200000 jb Case6_1 Case6_0: mov tmpaddr, dwOrgReplaceCodeAddr mov tmpaddr, #68# add tmpaddr, 1 mov eax,esp add eax,2 mov ecx,eax add eax,ecx add eax,4 mov tmpaddr,eax,4 add tmpaddr,4 mov tmpaddr, #C3# jmp NextAddr Case6_1: bp dwPatchAddrFixIAT run bc dwPatchAddrFixIAT mov tmpaddr,

13、dwOrgReplaceCodeAddr mov tmpaddr, #68# add tmpaddr, 1 mov eax, esp mov ecx, eax cmp cx, 25FF jne Case6_1_1 mov eax,eax+2Case6_1_1: mov tmpaddr,eax add tmpaddr,4 mov tmpaddr, #C3# jmp NextAddrCase6_2: mov dwRestoreCodeStart, esp mov esi, dwRestoreCodeStart mov edi, dwOrgReplaceCodeAddr mov eax, esi m

14、ov edi, eax add edi, 2 add esi, 2 mov eax, esi mov edi, eax NextAddr: add dwReplaceCodeAddr, 4 add esp, 4 jmp loopFixReplaceCodeCode ExitFixReplaceCode: /Exit FixReplaceCode bc dwPatchAddrFixReplaceCode bc PatchCase bc dwPatchAddrFixIAT pause /= /Fix IAT /= mov dwMinIATAddr, 01001000 /需要修改 mov dwMax

15、IATAddr, 010012FC /需要修改 mov dwAddrIAT, dwMinIATAddr mov dwIATEnd, dwMaxIATAddr bp dwPatchAddrFixIAT loopFixIAT: cmp dwAddrIAT, dwIATEnd ja ExitFixIAT mov eax, dwAddrIAT mov ebx, eax cmp ebx, 0 je nextFixIAT and ebx, 70000000 cmp ebx, 0 jne nextFixIAT mov eip, eax run mov eax, esp cmp ax,25FF je FixI

16、ATnew mov dwAddrIAT, esp add esp,4 jmp nextFixIATFixIATnew: mov tmpaddr, esp mov tmpaddr, tmpaddr+2 mov dwAddrIAT, tmpaddr add esp, 4nextFixIAT: add dwAddrIAT, 4 jmp loopFixIATExitFixIAT: bc dwPatchAddrFixIAT pause /= /Fix CallApi /= mov tmpaddr,01001800 /需要修改 mov count,0loopFixCallApi: find tmpaddr

17、, #90E8?# mov eax,$RESULT mov tmpaddr,eax add tmpaddr,6 cmp eax,0 je ExitFixCallApi mov eip,eax stionlyjmp2: sti mov edx,eip cmp dl,E9 je onlyjmp2 cmp dl,68 je onlyjmp1 cmp dl,C3 jne Error sti mov edx,eip cmp dx , 25FF jne Error mov edx,eip+2 mov edx,edx mov esi,dwMinIATAddr jmp loopSearchIAT onlyjm

18、p1: /=Search Position in IAT mov edx,eip+1 mov esi,dwMinIATAddrloopSearchIAT: mov ecx,esi cmp edx,ecx je HasFindApi add esi,4 cmp esi, dwMaxIATAddr ja onlyjmp2 jmp loopSearchIATHasFindApi: mov eax,#FF15# add eax,2 mov eax,esi,4 add esp,4 inc count jmp loopFixCallApiExitFixCallApi: eval "Fix Cal

19、lApi :count" log $RESULT /= /Fix JMPApi /= mov tmpaddr,01001800 /需要修改 mov count,0loopFixJmpApi: find tmpaddr, #90E9?# mov eax,$RESULT mov tmpaddr,eax add tmpaddr,6 cmp eax,0 je ExitFixJmpApi mov eip,eax stionlyjmp22: sti mov edx,eip cmp dl,E9 je onlyjmp22 cmp dl,68 je onlyjmp21 cmp dl,C3 jne Er

20、ror sti mov edx,eip cmp dx , 25FF jne Error mov edx,eip+2 mov edx,edx mov esi,dwMinIATAddr jmp loopSearchIAT2 onlyjmp21: /=Search Position in IAT mov edx,eip+1 mov esi,dwMinIATAddrloopSearchIAT2: mov ecx,esi cmp edx,ecx je HasFindJmpApi add esi,4 cmp esi, dwMaxIATAddr ja onlyjmp22 jmp loopSearchIAT2HasFindJmpApi: mov eax,#FF25# add eax,2 mov eax,esi,4 add esp,0 inc count jmp loopFixJ